of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. - PowerPoint PPT Presentation

Structure-aware computation of predicate abstraction A. Cimatti, J. Dubrovin, T. Junttila, M. Roveri Fondazione Bruno Kessler, Trento, Italy Helsinki Institute of Technology, Finland

Predicate abstraction: symbolic view ‡ Concrete state as assignment to X variables ± booleans, bit vectors, reals ��LQWHJHUV��« ‡ Concrete program as SMT formula CR(X, X') ‡ Abstract state as assignment to boolean variables P i ‡ Predicates as SMT formulae � i (X) Abstraction function Abstr(X X' P P') as “ i P i | � � i (X) ‡ ‡ Computing predicate abstraction: ± Obtain a boolean representation for AR(P,P') ± Amenable to symbolic model checking AR(P,P') = Ö X X'.(CR(X, X') “ � “ i P i | � � i (X) ‡ “ � “ i P i ' | � � i (X') ) 3 Structure-aware abstraction FMCAD'09, Austin, TX

From Q-SMT to Boolean Ì X X' xx xx xx Abstract xx xx - B (P P') xx xx - (X X' P P') ‡ Predicate Abstraction ± at the core of many verification approaches ± often a bottleneck 4 Structure-aware abstraction FMCAD'09, Austin, TX

Avoid Monolithic Computation xx Ì X X' xx xx Reduce xx Ì V 2 xx xx xx xx xx xx xx Ì V 1 xx - B (P P') Ì V 3 xx xx x xx xx xx xx xx xx xx - (X X' P P') 5 Structure-aware abstraction FMCAD'09, Austin, TX

Structure-aware predicate abstraction ‡ New procedure for predicate abstraction ‡ Exploits the available problem structure ‡ At the high level ± structure of system being abstracted ± modules, scope of variables, nature of transitions ‡ At the low level ± structure of quantified formula ± reduce scope of quantification 6 Structure-aware abstraction FMCAD'09, Austin, TX

High level framework ‡ System structured in several components ‡ Asynchronously composed via interleaving ‡ Transitions: ± local transitions ± synchronizing transitions ± timed transitions ‡ Variables Invariants: x in [10, 20] ± local 607�����”�[ ��[�”��� ± write-one / read-many ± write-many / read-many Flow condition: der(x) in [1.1, 1.3] ‡ SMT: x + 1.1  / �”�[����[��”�[������ / Some features common also to ± software programs Global: the same / for all components! ± concurrent systems 7 Structure-aware abstraction FMCAD'09, Austin, TX

Predicate abstraction procedure ‡ Ingredients ± disjunctively partitioning the concrete program ± inlining ± clustering ± blocking and restricting models ± value sampling 8 Structure-aware abstraction FMCAD'09, Austin, TX

Abstracting one transition ‡ During transitions, several components may not change ‡ In local transitions ± only active process is modified ± ORF�� �ORF��[�� �[��« ‡ synchronizing transitions ± similarly, only active processes change ‡ timed transitions ± discrete locations do not change ‡ Lots of potential for inlining 10 Structure-aware abstraction FMCAD'09, Austin, TX

Rules for inlining ‡ Ì X.( � • (u= . )) rewrites to Ì X.( � [u / . ]) ± where u in X, and not in . ‡ Ì X.( � • �T� < � . )) rewrites to �T� < � . ) • Ì X.( � [q / . ]) ± where . propositional, and q not in . ‡ Ì X.( � • ( � < � . )) rewrites to Ì X.( � [ � / . ]) • ( � < � . )) ± where . propositional but � has vars in X 11 Structure-aware abstraction FMCAD'09, Austin, TX

Practical Limitations ‡ Variable in one component may be referred to in flow conditions of other components ± this indirectly influences its behaviour. ‡ Predicates can introduce correlations that are not directly present in the original system ± e.g. (x + y < 10) connects x and y 12 Structure-aware abstraction FMCAD'09, Austin, TX

Clustering ‡ Ì X.( - 1 (X 1 P) • - 2 (X 2 P) • «� • - n (X n P) ) ‡ Each variable in X occurs in at most one of the clusters X i ‡ Each cluster can be dealt with independently ‡ Trade one big quantification for many (hopefully smaller) quantifications ( Ì X 1 . - 1 (X 1 P)) • ( Ì X 2 . - 2 (X 2 P)) • «� • ( Ì X n . - n (X n P)) 13 Structure-aware abstraction FMCAD'09, Austin, TX

Blocking and Restricting Models When computing - B (P) V Ì X. - (X P) ‡ Replace Ì X. - (X P) with Ì X.(¬ - B (P) • - (X P)) ‡ ‡ Rationale ± boolean reasoning cheaper than SMT reasoning ± models in - B have already been visited ± force exploration to other models within ¬ - B ‡ When computing ± - B0 (P) • Ì X 1 . - 1 (X 1 P) • Ì X 2 . - 2 (X 2 P) • «� • Ì X n . - n (X n P) ‡ We can use previously computed conjuncts to prune quantification ± Ì X 1 .( - 1 (X 1 P) • ¬ - B0 (P)) ± Ì X 2 .( - 2 (X 2 P) • ¬ - B01 (P)) ± Ì X 3 .( - 3 (X 3 P) • ¬ - B012 (P)) ‡ Restrict to models still worth exploration 14 Structure-aware abstraction FMCAD'09, Austin, TX

Variable Sampling ‡ "Quasi clustering": a single w prevents clustering ± Ì X.( - 1 (w X 1 P) • - 2 (w X 2 P) • «� • - n (w X n P)) ‡ Pick one value c for w, replace, and cluster ± Ì X\w.( - 1,w/c (X 1 P) • - 2,w/c (X 2 P) • «� • - n,w/c (X n P) ‡ Result: underapproximation - w/c (P) ± computed one cofactor with respect to w = c ± we have to cover the case Z•F ± Ì X.(w • c • - 1 (w X 1 P) • - 2 (w X 2 P) • «� • - n (w X n P)) ‡ The process can be iterated ± need to block already covered models ± need to find a suitable sequence of instantiations 15 Structure-aware abstraction FMCAD'09, Austin, TX

Sampling-driven quantification SamplingAllSMT(Phi, X, W) { res := False; (sat, mu) := SMTSolve(Phi); while sat do c := PickValue(mu, W); new := AllSMT(not res and Phi[W / c]); res := res or new; (sat, mu) := SMTSolve(Phi and not res); end while return res; } 16 Structure-aware abstraction FMCAD'09, Austin, TX

Implementation ‡ Extended NuSMV ± empowered with SMT functionalities ± types: reals, integers, bit- YHFWRUV��« ‡ MathSAT SMT solver used as backend ‡ High level simplifications ± network of automata ± python script to generate disjunctive partitioned representation ‡ Low level simplifications as rewriter over quantified formulae ‡ Abstraction based on AllSMT version of MathSAT 17 Structure-aware abstraction FMCAD'09, Austin, TX

Experimental Set up ‡ Two classes of problems ± from HyTech distribution ± randomly generated networks of automata ‡ Compared Algorithms ± mono ± + partitioning ± + clustering ± + v-sampling 18 Structure-aware abstraction FMCAD'09, Austin, TX

Results on Hytech models 19 Structure-aware abstraction FMCAD'09, Austin, TX

Results on Random LHA's 20 Structure-aware abstraction FMCAD'09, Austin, TX

Related Work ‡ Imprecise techniques ± Cartesian Abstraction ‡ Boolean Quantification ± BDD-based ± SAT-based ‡ Monolithic SMT-based predicate abstraction ± AllSMT [CAV06] ± BDD + SMT [FMCAD07] ‡ Software model checking: BLAST, SATABS ± Partitioning transition by transition in CFG ± Forward image computations by inlining unmodified variables ‡ Avoid abstraction computation ± Directly compute abstract violations [FM09] ± No need for AllSMT functionality 21 Structure-aware abstraction FMCAD'09, Austin, TX

Conclusions ‡ A structure-aware procedure for the exact computation of predicate abstraction ‡ Exploit high level structure ± transition partitioning ± variable scope ‡ Exploit low level structure ± formula quantification, clustering ± value sampling ‡ Significant speed-ups 22 Structure-aware abstraction FMCAD'09, Austin, TX

Future Work ‡ Comprehensive comparison with other methods ± Experiment with BDD-based abstraction ‡ Measure impact on CEGAR loop ‡ Application to post-image computation ± Reachability in abstract space ‡ Full incrementality 23 Structure-aware abstraction FMCAD'09, Austin, TX

24 Structure-aware abstraction FMCAD'09, Austin, TX